Forescout's Christina Hoefer
For more than a decade, cybersecurity researchers have been working to identify vulnerabilities in operational technology (OT) devices. From the seminal work of Project Basecamp, which coined the phrase “insecure-by-design,” to the June 2022 disclosure of OT:ICEFALL (a homage to Project Basecamp), cybersecurity researchers have discovered a mountain of vulnerabilities in OT devices. These vulnerabilities are exacerbated by the proprietary nature of OT devices, the false sense of security provided by certifications, and the challenges organizations face with vulnerability management.
In the case of OT:ICEFALL, Forescout researchers disclosed 56 vulnerabilities affecting remote terminals, programmable logic controllers (PLCs) and SCADA systems from vendors including Emerson, Honeywell and Motorola. Attackers could exploit these vulnerabilities to remotely install malware, to change configurations, to steal credentials, to enable unauthorized access, and to take a device offline completely.
So, why is it fair to call these devices insecure by design? More than a third of OT:ICEFALL’s vulnerabilities allow for compromise of credentials (38%), with firmware manipulation coming in second (21%) and remote code execution coming third (14%). Furthermore, 74% of these had earned some sort of security certification giving a false sense of security. Given the antiquated evaluation and certification processes, vendors pursuing a rigorous security standard might benefit from identifying a new testing requirements process.
In general, there is a lack of visibility into vulnerable OT devices. What may begin with insecure design choices and insufficient testing criteria is further complicated by the lack of comprehensive vulnerability and exposure insights. Ideally, device vendors should be transparent about design choices because it is difficult for cybersecurity teams to manage risk without this understanding.
As IT and OT environments converge, more of the organization becomes digitally connected and further research is pursued to identify insecure designs and exploitable weaknesses—attackers push forward and don’t sit still. Even worse, it often seems that threat actors have better visibility into the vulnerable devices on a network than the organizations that own and operate them.
To even the odds, here are three steps organizations can take to protect their OT environment:
- Discover: First, organizations need to discover all their assets (e.g., engineering clients, temporary contractor devices, process controllers, network equipment, IP cameras and building sensors), where they are, and how they are connected. This may be easier said than done in complex OT environments, but there are a variety of approaches to avoid downtime. Non-intrusive network-monitoring, such as deep packet inspection (DPI), and agentless approaches avoid affecting production environments. Specific cybersecurity solutions designed for OT environments can discover vulnerable devices and prioritize a response. There are a variety of additional benefits to this sort of discovery, such as continuously monitoring the network for new devices and identifying other process errors and misconfigurations that need correcting.
- Assess: Industrial organizations need to understand their cybersecurity and operational risks to effectively minimize unplanned downtime due to breaches or operational issues. Operational risks include an understanding of critical process operations, device behaviors and potential misconfigurations, whereas cybersecurity risks include device vulnerabilities and the use of weak security standards and undesired connectivity to the internet or other networks. The sort of discovery process described above is useful in completing this risk assessment non-intrusively and automatically. Likewise, these solutions may offer additional benefits, such as monitoring network traffic for malicious or malformed traffic, undesired process operations or changing device behavior, weak security and other indicators of compromise (IOCs).
- Govern: Once an organization has discovered its assets and assessed their risks, there are a variety of actions to put into protection. First, they can fix weakened security by eliminating the use of default credentials or insecure protocols. Then, network segmentation can be applied to isolate vulnerable devices or to restrict communication between IT and OT and other network areas. Enforcing further, least-privileged access is also a great foundation for zero-trust security. Eventually, organizations will need to devise their own remediation plan, based on their ability to take remediation actions and on progressive patches released by device manufacturers. In some cases, it may be impossible to patch certain OT devices. However, continuous network-monitoring with an incident-response plan and dynamic network segmentation with automated response is an effective mitigation.
It is vital for organizations to seek and employ a cross-functional approach to this process. When cybersecurity teams work together with operational-technology teams, they gain a better understanding of how OT devices are intended to work, how they can better protect them, and how these teams can work more efficiently; even something as simple as who should be contacting who in the case of an emergency. This process should be continuous, such that new incidents that emerge may result in the creation of new policies to prevent them in the future.
Insecure-by-design issues are not going away any time soon. Organizations should try to make intelligent investments—both into responsible vendors with established security processes and in sophisticated cybersecurity solutions that enable them to discover, assess and govern the vulnerable devices that remain.
Christina Hoefer is VP, Global Industrial Enterprise with Forescout
